01.0 Policy Responsibilities and Oversight

Transcription

1 Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities & Oversight The purpose of this Information Security Policy is to formalize the Security and Internal Control standards that the City of Chicago ( City ) has adopted to mitigate security risks to employee and constituent data as well as to comply with applicable external controls and regulations including the Health Information Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, the Payment Card Industry's Data Security Standards (PCI-DSS), the Freedom of Information Act (FOIA), the Illinois State Local Records Act (LRA) and the Illinois State Breach Disclosure Laws. In addition, this policy specifically defines how computing and communication assets, systems and resources should be accessed, configured, used and protected and the types of monitoring activities City personnel should execute to maintain the security of the City operating environment. This document is published under the authority of the Chief Information Officer and provides a framework for safeguarding data and information including personally identifiable information (PII), protected health information (PHI) and payment cardholder data (CHD), including the creation, processing, management, transmission, storage, and disposal of information within the scope the. All City Departments are subject to the provisions within. Exceptions to any provision can only be granted by the Chief Information Officer, the Chief Information Security Officer or their delegates. The Commissioner of the Department of Innovation of Technology (DoIT) holds the Chief Information Officer (CIO) designation. The Chief Information Security Officer (CISO) leads the Information Security Office (ISO) which is part of the Department of Innovation and Technology (DoIT). This policy reviews the following areas: 1.1 Roles and Responsibilities Management Commitment to Information Security & Sponsorship Allocation of Information Security Responsibilities Independent Review of Information Security Information Technology and Security Policy Maintenance Security Policy Approval Additions & Changes to Policy Review of the Information Security Policy Revision History... 8 Classification: Internal Page 1 of 8

2 1.1 Roles and Responsibilities All employees, contractors and agents must support the information security program detailed herein Management Commitment to Information Security & Sponsorship Management must approve and be committed to all Information Security initiatives set forth in this Information Security Policy. As such, management must identify a sponsor to drive assessment, compliance, and enforcement activities. a. Ultimately, the Chief Information Officer will be responsible for compliance and enforcement activities associated with this Information Technology and Security Policy. The Information Security Office will be responsible for driving day to day activities and enforcement. HIPAA: (a)(2). b. The Information Security Office is the internal group responsible for managing and directing a city-wide information protection program. Specific responsibilities include: developing or coordinating the development of security policy, standards and guidelines; managing a data, application and platform classification program which includes the identification of information and application owners; identifying information protection goals and objectives within the scope of a strategic plan; identifying key information security program elements; identifying key corporate information security initiatives and standards; developing information security guidelines for personnel; developing and managing an information security program budget; ensuring the timely publication of approved information security related policies and procedures; coordinating information security awareness activities across the ; taking appropriate action on security violations; coordinating information security for future initiatives related to privacy and security of data or other areas as deemed appropriate; and Reporting on a regular basis to the Chief Information Officer. HIPAA: (a)(2), ISO: Classification: Internal Page 2 of 8

3 1.1.2 Allocation of Information Security Responsibilities Roles and responsibilities for ensuring support of the Information Security Policy must be assigned. a. The City s Chief Information Officer is responsible for overall security of information assets and technology at the City. The Chief Information Officer may delegate specific responsibilities related to information security to others within the City based on their job function. Specific responsibilities are assigned as follows: The responsibility to establish, document, and distribute security policies and standards is assigned to the Chief Information Security Officer. Should the Chief Information Security Officer position become vacant, this responsibility will be assigned to a knowledgeable member of management by the Chief Information Officer. PCI DSS The responsibility to monitor and analyze security alerts and information, and distribute to appropriate personnel is assigned to the Chief Information Security Officer. Should the Chief Information Security Officer position become vacant, this responsibility will be assigned to a knowledgeable member of management by the Chief Information Officer. PCI DSS The responsibility to establish, document, and distribute information security incident response and escalation procedures to ensure timely and effective handling of all situations is assigned to the Chief Information Security Officer. Should the Chief Information Security Officer position become vacant, this responsibility will be assigned to a knowledgeable member of management by the Chief Information Officer. PCI DSS Overall responsibility for administering user accounts, including additions, deletions, and modifications, is assigned to the Head of Technical Operations and Enterprise Network Architecture. Should that position become vacant, this responsibility will be assigned to a knowledgeable member of management by the Chief Information Officer. Wherever additional user accounts may be required for a specific software application or Program, the responsibility for administering user accounts, including additions, deletions, and modifications, is assigned to the Program Manager responsible for that Program. PCI DSS The responsibility to monitor and control all access to data is assigned to the Head of Technical Operations and Enterprise Network Architecture for file, print, and network access. Should that position become vacant, this responsibility will be assigned to a knowledgeable member of management by the Chief Information Officer. For data that is created, maintained and/or managed in conjunction with a specific software application or program, the responsibility to monitor and control all access to data is assigned to the Business Owner responsible for that program or their delegate. PCI DSS b. The Information Security Office is responsible for coordinating the review of risks and security implications associated with the use of all technologies within the City s operating environment. PCI: Classification: Internal Page 3 of 8

4 c. An Information User is any City employee, vendor, contractor, or other authorized person who uses City information in the course of their daily work. Information User responsibilities include: maintaining the confidentiality of their user credentials; reporting suspected security violations to the Information Security Office; adhering to corporate information security policies, standards and technical controls; and; using City information resources responsibly and for authorized purposes only. ISO:6.1.3, PCI:12.4 d. An Information Owner is a manager responsible for the City information assets. Individual Information Owners reside within Business Units or Departments, not the Department of Innovation and Technology. Information Owner responsibilities include: ISO: assigning initial information classification levels; periodic reviews to ensure current information classification meets the current business need and level of perceived risk; verifying that employee and third party access rights are current; determining security access criteria; and determining availability and backup requirements for the information they own. e. An Information Custodian is any the City employee, vendor, contractor, or other authorized person who has the responsibility for maintaining and/or supporting information. Information Owners have the right to delegate data maintenance and ownership responsibilities to Information Custodians. The Information Owner may designate one or more Information Custodians based on the level of delegated responsibilities. The Information Custodian must provide the following: ISO: assistance to the Information Owners in determining appropriate levels of data classification (see Data and Asset Classification Policy); and operationally provide assurance for the confidentiality, integrity and availability of information. f. System Administrators are required to maintain, operate and implement technology solutions for the City in accordance with the security policy. Access to servers is restricted to authorized System Administrators who are responsible for deploying, implementing and monitoring security controls on an operational basis. Guidance for the specific controls must be provided by Information Security Office. Responsibilities include: ISO: system security patch applications; system documentation; system performance; security monitoring; application of necessary technical security controls; and communication to Information Security Office on security related incidents and issues. Classification: Internal Page 4 of 8

5 g. The Information Security Office or a designated Internal Audit group is responsible for monitoring compliance with the standards and guidelines outlined by the security policy. If an Internal Audit group is designated, frequent communication between the Information Security Office and Internal Audit is critical to the protection of the City's information assets. The Information Security Office must aid Internal Audit by assisting in the identification of security threats and vulnerabilities throughout the City environment. These risks must be communicated appropriately so suitable mitigating controls can be put in place. HIPAA: (a)(8), ISO: h. Technical Operations and Enterprise Network Architecture is responsible for the day-to-day data center operations. This includes the management of the Uninterruptible Power Supply (UPS) and all other environmental controls, in addition to racking new devices, pulling cabling, and operating network jacks. This team is also responsible for understanding, maintaining and operating the data center fire suppression systems. i. Technical Operations and Enterprise Network Architecture is responsible for configuring and maintaining the City network. This includes implementing specific logical controls for segmenting the network and providing network access control Independent Review of Information Security A review of the City environment must be conducted by either the Information Security Office or a designated Internal Audit team or an independent third party to identify any new threats and to ensure proper security controls are in place throughout the organization. a. The City's security policy, standards and security environment must be reviewed annually. Any recommendations from this review must be resolved and considered for incorporation into the security policy and implemented as applicable. Determining the level of assurance is the responsibility of the Information Security Office and/or Internal Audit. HIPAA: (a)(8), ISO: 6.1.8, PCI: Classification: Internal Page 5 of 8

6 1.2 Information Technology and Security Policy Maintenance The Information Security Policy must be approved, maintained, and annually reviewed in order to ensure its effectiveness Security Policy Approval The Information Security Policy must be approved by management. Based on the review being conducted, all approvals must follow the pre-defined, documented information security policy approval process. a. The Information Security Office is responsible for creating, reviewing and coordinating the approval and implementation of any security practices, policies, and standards. HIPAA: (a)(2), ISO: 5.1, PCI: b. The Information Security Office is responsible for ensuring that all security practices and standards are reviewed and approved on an annual basis. ISO: Additions & Changes to Policy Any additions or changes to the Information Security Policy must be managed and approved. All additions to the information security policy must follow the pre-defined, documented information security policy change process. a. Any business unit, group or department may initiate practice or standards development with the Information Security Office. The Information Security Office will analyze requests and address each at their discretion based upon this analysis. ISO: 5.1 b. The Information Security Office is responsible for ensuring that all new information security policies and standards follow the existing practice structure and format of the information security policy or as deemed appropriate by the Chief Information Officer. At a minimum, the following tasks must be conducted for all new or changed information security policies: A communication plan must be developed, at a minimum including notification of new practices, integration into security awareness materials, and special training for technical users/personnel (if deemed necessary); An impact analysis must be conducted or coordinated by the Information Security Office prior to all information security policy changes to measure the risk and security implications driving the requested change and potential implementation requirements for full implementation of the changed policy; HIPAA: (b)(1)(ii), ISO: 5.1 Classification: Internal Page 6 of 8

7 1.2.3 Review of the Information Security Policy An annual review of the Information Security Policy must be conducted to ensure relevance and identify any gaps in the policy. a. The Information Security Office is responsible for initiating an annual review of the information security policy. HIPAA: (a)(8), ISO: 5.2, PCI: b. The Information Security Office must perform a technical review to ensure standards remain in sync with business requirements, vendor- and industry-recommended practices and current technology and regulatory requirements. HIPAA: (a)(8), ISO: 5.2 c. The annual review must include a review of any impacting legal changes to ensure practice compliance with all applicable municipal, state and federal laws. HIPAA: (a)(8), ISO: 5.2 d. The annual review results must be presented to the City s Chief Information Officer. All comments and requests made must be addressed and any modifications must be made via the Information Security Policy Change Procedures processes outlined by the Information Security Office. ISO: 5.2 Classification: Internal Page 7 of 8

8 1.3 Revision History Date Version Description Author 01/15/ Initial Draft ISO 07/26/ Approved as Release Candidate v1 CISO 12/30/ Approved as Release Candidate v2 CISO Classification: Internal Page 8 of 8